SecurityPkg/DxeImageVerificationHandler: fix "defer" vs. "deny" policies

[mirror_edk2.git] / SecurityPkg / Library / DxeImageVerificationLib / DxeImageVerificationLib.c

diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index 015a5b61a3012860f0a9452b074e02659f0cb451..dbfbfcb4fb3aa5a26ecd37d2227e160e946c2f2b 100644 (file)
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1548,7 +1548,8 @@ Done:
                                  execution table.\r
   @retval EFI_ACCESS_DENIED      The file specified by File and FileBuffer did not\r
                                  authenticate, and the platform policy dictates that the DXE\r
-                                 Foundation many not use File.\r
+                                 Foundation may not use File. The image has\r
+                                 been added to the file execution table.\r
 \r
 **/\r
 EFI_STATUS\r
@@ -1872,7 +1873,8 @@ DxeImageVerificationHandler (
 \r
 Failed:\r
   //\r
-  // Policy decides to defer or reject the image; add its information in image executable information table.\r
+  // Policy decides to defer or reject the image; add its information in image\r
+  // executable information table in either case.\r
   //\r
   NameStr = ConvertDevicePathToText (File, FALSE, TRUE);\r
   AddImageExeInfo (Action, NameStr, File, SignatureList, SignatureListSize);\r
@@ -1885,7 +1887,10 @@ Failed:
     FreePool (SignatureList);\r
   }\r
 \r
-  return EFI_SECURITY_VIOLATION;\r
+  if (Policy == DEFER_EXECUTE_ON_SECURITY_VIOLATION) {\r
+    return EFI_SECURITY_VIOLATION;\r
+  }\r
+  return EFI_ACCESS_DENIED;\r
 }\r
 \r
 /**\r